Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:python-pyramid User: [email protected] Usertags: pu
[ Reason ] Fix CVE-2023-40587, a path traversal vulnerability affecting Pyramid when running on Python 3.11. [ Impact ] The issue is limited in scope and only affects deployments using filesystem-backed static views on vulnerable Python versions. [ Tests ] The package builds successfully and the upstream test suite passes. [ Risks ] Low. The update consists of the upstream fix for rejecting paths containing NUL bytes during static path handling. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Add upstream patch to fix CVE-2023-40587 [ Other info ] The upload will be sponsored by Colin Watson.
diff -Nru python-pyramid-2.0+dfsg/debian/changelog python-pyramid-2.0+dfsg/debian/changelog --- python-pyramid-2.0+dfsg/debian/changelog 2022-12-25 18:24:55.000000000 +0000 +++ python-pyramid-2.0+dfsg/debian/changelog 2026-06-03 14:04:50.000000000 +0000 @@ -1,3 +1,12 @@ +python-pyramid (2.0+dfsg-2+deb12u1) bookworm; urgency=medium + + * Team upload. + * d/patches: (Closes: #1050740) + - CVE-2023-40587: Import and backport upstream patch + (Information disclosure via null-byte path traversal) + + -- Matheus Polkorny <[email protected]> Wed, 03 Jun 2026 11:04:50 -0300 + python-pyramid (2.0+dfsg-2) unstable; urgency=medium * Team upload. diff -Nru python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch --- python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch 2026-06-03 14:04:50.000000000 +0000 @@ -0,0 +1,75 @@ +From: Tres Seaver <[email protected]> +Date: Mon, 21 Aug 2023 14:43:12 -0400 +Subject: fix: reject NUL character as path element + +See: https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8 + +Origin: upstream, https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85 +--- + src/pyramid/static.py | 10 +++++----- + tests/fixtures/index.html | 1 + + tests/test_static.py | 13 +++++++++++++ + 3 files changed, 19 insertions(+), 5 deletions(-) + create mode 100644 tests/fixtures/index.html + +diff --git a/src/pyramid/static.py b/src/pyramid/static.py +index 8b19c7b..4cabf1d 100644 +--- a/src/pyramid/static.py ++++ b/src/pyramid/static.py +@@ -260,12 +260,12 @@ def _add_vary(response, option): + response.vary = vary + + +-_seps = {'/', os.sep} ++_invalid_element_chars = {'/', os.sep, '\x00'} + + +-def _contains_slash(item): +- for sep in _seps: +- if sep in item: ++def _contains_invalid_element_char(item): ++ for invalid_element_char in _invalid_element_chars: ++ if invalid_element_char in item: + return True + + +@@ -279,7 +279,7 @@ def _secure_path(path_tuple): + # unless someone screws up the traversal_path code + # (request.subpath is computed via traversal_path too) + return None +- if any([_contains_slash(item) for item in path_tuple]): ++ if any([_contains_invalid_element_char(item) for item in path_tuple]): + return None + encoded = '/'.join(path_tuple) # will be unicode + return encoded +diff --git a/tests/fixtures/index.html b/tests/fixtures/index.html +new file mode 100644 +index 0000000..a37df57 +--- /dev/null ++++ b/tests/fixtures/index.html +@@ -0,0 +1 @@ ++<h1>DON'T GO HERE</h1> +diff --git a/tests/test_static.py b/tests/test_static.py +index 3fc6586..29de0b8 100644 +--- a/tests/test_static.py ++++ b/tests/test_static.py +@@ -104,6 +104,19 @@ class Test_static_view_use_subpath_False(unittest.TestCase): + + self.assertRaises(HTTPNotFound, inst, context, request) + ++ def test_oob_nul_char(self): ++ import os ++ ++ inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static') ++ dds = '..\x00/' ++ request = self._makeRequest( ++ {'PATH_INFO': f'/{dds}'} ++ ) ++ context = DummyContext() ++ from pyramid.httpexceptions import HTTPNotFound ++ ++ self.assertRaises(HTTPNotFound, inst, context, request) ++ + def test_resource_doesnt_exist(self): + inst = self._makeOne('tests:fixtures/static') + request = self._makeRequest({'PATH_INFO': '/notthere'}) diff -Nru python-pyramid-2.0+dfsg/debian/patches/series python-pyramid-2.0+dfsg/debian/patches/series --- python-pyramid-2.0+dfsg/debian/patches/series 2022-12-25 18:24:55.000000000 +0000 +++ python-pyramid-2.0+dfsg/debian/patches/series 2026-06-03 14:04:50.000000000 +0000 @@ -1 +1,2 @@ python-3.11 +CVE-2023-40587.patch

